Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Advertisements

RKinner

Posted 22 April 2005 - 03:33 PM

RKinner

Malware Expert

Expert

17,350 posts

You have a tough one but let's see what we can do.

Get a copy of winsockxpfix.exe before you do anything. This is just a safety item in case you can't get on the internet afterwards. You just run it and things should work OK after it reboots your system.

Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC maker's logo. Keep tapping until it tells you it is going to Safe Mode or you see the Safe Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix Checked the following:

Wait 60 seconds and repeat the scan. Did any of the above come back? If so leave HijackThis up and right click on the clock and select Task Manager. Then Processes. Find Explorer.exe, right click on it and select End Process. The desktop will disappear but HijackThis should still be there. IF you don't see it switch to Applications in Task Manager and highlight it there then press Switch To or just double click on it. Check and Fix Checked the above again. Restart Explorer by Task Manager, File, New Task(Run), explorer.exe, OK.

Run a third HijackThis scan. Probably the two O20's will still be there and a few others. Leave it up. Start APM.exe (Start, Run, \apm\apm.exe, OK). In the top window find explorer.exe and highlight it. Now move to the bottom window and look for any of the files that are in the list above. Right click on them and select Unload DLL then when a little box comes up press the OK button. Press it as many times as it shows up. When it stops coming up look for other files within explorer. When you have them all then go back to the top and check winlogon the same way.

Check the returnees in HijackThis and Fix Checked.

Now run ccleaner.exe. On the first page, uncheck everything but the two lines that have the word Temporary in them then Run Cleaner.

Reboot into normal mode and run another HijackThis log and send it to me. Let's see how we did.

It's almost weekend for me so I probably won't get back to you before Monday.

If anything returns and you have a fast link or a friend with a fast link and a CD burner get mwave.exe from: